RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1793298 - dnf-automatic upgrade packages that does not have the signing key accepted
Summary: dnf-automatic upgrade packages that does not have the signing key accepted
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: dnf
Version: 8.1
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: rc
: 8.0
Assignee: Marek Blaha
QA Contact: Luca Berton
Mariya Pershina
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-21 06:10 UTC by GV
Modified: 2020-11-04 01:53 UTC (History)
6 users (show)

Fixed In Version: dnf-4.2.23-1.el8
Doc Type: Bug Fix
Doc Text:
.`dnf-automatic` now updates only packages with correct GPG signatures Previously, the `dnf-automatic` configuration file did not check GPG signatures of downloaded packages before performing an update. As a consequence, unsigned updates or updates signed by key which was not imported could be installed by `dnf-automatic` even though repository configuration requires GPG signature check (`gpgcheck=1`). With this update, the problem has been fixed, and `dnf-automatic` checks GPG signatures of downloaded packages before performing the update. As a result, only updates with correct GPG signatures are installed from repositories that require GPG signature check.
Clone Of:
Environment:
Last Closed: 2020-11-04 01:52:25 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
dnf-automatic configuration file (2.56 KB, text/plain)
2020-01-21 06:10 UTC, GV
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2020:4510 0 None None None 2020-11-04 01:52:39 UTC

Description GV 2020-01-21 06:10:41 UTC
Created attachment 1654123 [details]
dnf-automatic configuration file

$ rpm -q -p dummy-1.0.0-1.c8.x86_64.rpm 
warning: dummy-1.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
dummy-1.0.0-1.c8.x86_64

$ rpm -q dummy-2.0.0-1.c8.x86_64.rpm 
warning: dummy-2.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
dummy-2.0.0-1.c8.x86_64

# rpm -ivh dummy-1.0.0-1.c8.x86_64.rpm 
warning: dummy-1.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:dummy-1.0.0-1.c8                 ################################# [100%]

# yum update
...
Dependencies resolved.
================================================================================
 Package         Architecture     Version                 Repository       Size
================================================================================
Upgrading:
 dummy           x86_64           2.0.0-1.c8              local           9.9 k

Transaction Summary
================================================================================
Upgrade  1 Package

Total size: 9.9 k
Is this ok [y/N]: y
Downloading Packages:
warning: /home/dummy/work/rpm/RPMS/x86_64/dummy-2.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
Public key for dummy-2.0.0-1.c8.x86_64.rpm is not installed
Error: GPG check FAILED

# systemctl status dnf-automatic
● dnf-automatic.service - dnf automatic
   Loaded: loaded (/usr/lib/systemd/system/dnf-automatic.service; static; vendor preset: disabled)
   Active: inactive (dead)

# systemctl start dnf-automatic
Job for dnf-automatic.service failed because the control process exited with error code.
See "systemctl status dnf-automatic.service" and "journalctl -xe" for details.

Relevant /var/log/message entries:

Jan 21 08:04:01 c8 systemd[1]: Starting dnf automatic...
Jan 21 08:04:01 c8 dnf-automatic[987]: Running transaction check
Jan 21 08:04:02 c8 dnf-automatic[987]: Transaction check succeeded.
Jan 21 08:04:02 c8 dnf-automatic[987]: Running transaction test
Jan 21 08:04:02 c8 dnf-automatic[987]: Transaction test succeeded.
Jan 21 08:04:02 c8 dnf-automatic[987]: Running transaction
Jan 21 08:04:06 c8 dnf-automatic[987]: Traceback (most recent call last):
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/bin/dnf-automatic", line 32, in <module>
Jan 21 08:04:06 c8 dnf-automatic[987]:    sys.exit(dnf.automatic.main.main(sys.argv[1:]))
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib/python3.6/site-packages/dnf/automatic/main.py", line 264, in main
Jan 21 08:04:06 c8 dnf-automatic[987]:    emitters.commit()
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib/python3.6/site-packages/dnf/util.py", line 493, in fn
Jan 21 08:04:06 c8 dnf-automatic[987]:    return list(map(call_what, self))
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib/python3.6/site-packages/dnf/util.py", line 492, in call_what
Jan 21 08:04:06 c8 dnf-automatic[987]:    return method(*args, **kwargs)
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib/python3.6/site-packages/dnf/automatic/emitter.py", line 103, in commit
Jan 21 08:04:06 c8 dnf-automatic[987]:    smtp = smtplib.SMTP(self._conf.email_host, timeout=300)
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib64/python3.6/smtplib.py", line 251, in __init__
Jan 21 08:04:06 c8 dnf-automatic[987]:    (code, msg) = self.connect(host, port)
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib64/python3.6/smtplib.py", line 336, in connect
Jan 21 08:04:06 c8 dnf-automatic[987]:    self.sock = self._get_socket(host, port, self.timeout)
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib64/python3.6/smtplib.py", line 307, in _get_socket
Jan 21 08:04:06 c8 dnf-automatic[987]:    self.source_address)
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib64/python3.6/socket.py", line 724, in create_connection
Jan 21 08:04:06 c8 dnf-automatic[987]:    raise err
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib64/python3.6/socket.py", line 713, in create_connection
Jan 21 08:04:06 c8 dnf-automatic[987]:    sock.connect(sa)
Jan 21 08:04:06 c8 dnf-automatic[987]: OSError: [Errno 113] No route to host
Jan 21 08:04:06 c8 systemd[1]: dnf-automatic.service: Main process exited, code=exited, status=1/FAILURE
Jan 21 08:04:06 c8 systemd[1]: dnf-automatic.service: Failed with result 'exit-code'.
Jan 21 08:04:06 c8 systemd[1]: Failed to start dnf automatic.

# systemctl start dnf-automatic

Relevant /var/log/message entries:

Jan 21 08:04:09 c8 systemd[1]: Starting dnf automatic...
Jan 21 08:04:09 c8 systemd[1]: Started dnf automatic.

# rpm -q dummy
dummy-2.0.0-1.c8.x86_64

# yum history undo last
Undoing transaction 65, from Tue 21 Jan 2020 08:04:02 AM EET
    Upgrade  dummy-2.0.0-1.c8.x86_64 @local
    Upgraded dummy-1.0.0-1.c8.x86_64 @@System
Dependencies resolved.
================================================================================
 Package         Architecture     Version                 Repository       Size
================================================================================
Downgrading:
 dummy           x86_64           1.0.0-1.c8              local           9.9 k

Transaction Summary
================================================================================
Downgrade  1 Package

Total size: 9.9 k
Is this ok [y/N]: y
Downloading Packages:
warning: /home/dummy/work/rpm/RPMS/x86_64/dummy-1.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
Public key for dummy-1.0.0-1.c8.x86_64.rpm is not installed
Error: GPG check FAILED

Comment 1 Marek Blaha 2020-01-28 08:51:42 UTC
dnf-automatic is not checking GPG keys of the packages before performing installation. PR https://github.com/rpm-software-management/dnf/pull/1580 addresses it.

Comment 16 errata-xmlrpc 2020-11-04 01:52:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (yum bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4510


Note You need to log in before you can comment on or make changes to this bug.